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Question: 1 


Note: This question is part of a series of questions that use the same or similar answer choices. An 
answer choice may be correct for more than one question in the series. Each question is independent 
of the other questions in this series. Information and details provided in a question apply only to that 
question. 

Your network contains an Active Directory domain named contoso.com. The domain contains a 
domain controller named Server1. 

You recently restored a backup of the Active Directory database from Server1 to an alternate 
Location. 

The restore operation does not interrupt the Active Directory services on Server1. 

You need to make the Active Directory data in the backup accessible by using Lightweight Directory 
Access Protocol (LDAP). 

Which tool should you use? 


A. Dsadd quota 

B. Dsmod 

C. Active Directory Administrative Center 
D. Dsacls 

E. Dsamain 

F. Active Directory Users and Computers 
G. Ntdsutil 

H. Group Policy Management Console 


Answer: E 


Question: 2 


Note: This question is part of a series of questions that use the same or similar answer choices. An 
answer choice may be correct for more than one question in the series. Each question is independent 
of the other questions in this series. Information and details provided in a question apply only to that 
question. 

Your network contains an Active Directory domain named contoso.com. 

You need to limit the number of Active Directory Domain Services (AD DS) objects that a user can 
create in the domain. 

Which tool should you use? 


A. Dsadd quota 


B. Dsmod 
C. Active Directory Administrative Center 
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D. Dsacls 

E. Dsamain 

F. Active Directory Users and Computers 
G. Ntdsutil 

H. Group Policy Management Console 


Answer: A 


Question: 3 


Note: This question is part of a series of questions that use the same or similar answer choices. An 
answer choice may be correct for more than one question in the series. Each question is independent 
of the other questions in this series. Information and details provided in a question apply only to that 
question. 

Your network contains an Active Directory forest named contoso.com. The forest functional level is 
Windows Server 2012 R2. 

You need to ensure that a domain administrator can recover a deleted Active Directory object 
quickly. 

Which tool should you use? 


A. Dsadd quota 

B. Dsmod 

C. Active Directory Administrative Center 
D. Dsacls 

E. Dsamain 

F. Active Directory Users and Computers 
G. Ntdsutil 

H. Group Policy Management Console 


Answer: C 


Question: 4 


You have users that access web applications by using HTTPS. The web applications are located on the 
servers in your perimeter network. The servers use certificates obtained from an enterprise root 
certification authority (CA). The certificates are generated by using a custom template named 
WebApps. The certificate revocation list (CRL) is published to Active Directory. 

When users attempt to access the web applications from the Internet, the users report that they 
receive a revocation warning message in their web browser. The users do not receive the message 
when they access the web applications from the intranet. 

You need to ensure that the warning message is not generated when the users attempt to access the 
web applications from the Internet. 

What should you do? 


A. Install the Certificate Enrollment Web Service role service on a server in the perimeter network. 
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B. Modify the WebApps certificate template, and then issue the certificates used by the web 
application servers. 

C. Install the Web Application Proxy role service on a server in the perimeter network. Create a 
publishing point for the CA. 

D. Modify the CRL distribution point, and then reissue the certificates used by the web application 
servers. 


Answer: C 


Question: 5 


You network contains an Active Directory domain named contoso.com. The domain contains an 
enterprise certification authority (CA) named CA1. 

You have a test environment that is isolated physically from the corporate network and the Internet. 
You deploy a web server to the test environment. On CA1, you duplicate the Web Server template, 
and you name the template Web_Cert_Test. 

For the web server, you need to request a certificate that does not contain the revocation 
information of CA1. 

What should you do first? 


A. From the properties of CA1, allow certificates to be published to the file system. 

B. From the properties of CA1, select Restrict enrollment agents, and then add Web_Cert_Test to the 
restricted enrollment agent. 

C. From the properties of Web_Cert_Test, assign the Enroll permission to the guest account. 

D. From the properties of Web_Cert_Test, set the Compatibility setting of CA1 to Windows Server 
2016. 


Answer: D 


Question: 6 


DRAG DROP 

You network contains an Active Directory forest. The forest contains an Active Directory Federation 
Services (AD FS) deployment. 

The AD FS deployment contains the following: 

* An AD FS server named server1.contoso.com that runs Windows Server 2016 

* A Web Application Proxy used to publish AD FS 

* A LIPN that uses the contoso.com suffix 

* A namespace named adfs.contoso.com 

You create a Microsoft Office 365 tenant named contoso.onmicrosoft.com. You use Microsoft Azure 
Active Directory Connect (AD Connect) to synchronize all of the users and the UPNs from the 
contoso.com forest to Office 365. 

You need to configure federation between Office 365 and the on-premises deployment of Active 
Directory. 

Which three commands should you run in sequence from Server1? To answer, move the appropriate 
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commands from the list of commands to the answer area and arrange them in the correct order. 
Commands Answer Area 


contoso.com 


Enter-PSSession -Name Office365 | 


Convert_MsolDomainToF ederated -DomainName 


adfs.contoso.com 


Set-MsolADFSContext -Computer 
serverlcontoso.com 


| Connect-MsolService | 


Set-MsolADFSContext -Computer contoso.com 


Answer: 


Commands Answer Area 


Connect-MsolService 


Set-MsolADFSContext -Computer 
Enter-PSSession -Name Office365 serverlcontoso.com 


Convert-MsolDomainToF ederated -DomainName 
contoso.com 
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Question: 7 


Your network contains an Active Directory forest named contoso.com. The forest contains several 
domains. 

An administrator named Admin01 installs Windows Server 2016 on a server named Server1 and then 
joins Server1 to the contoso.com domain. 

Admin01 plans to configure Server1 as an enterprise root certification authority (CA). 

You need to ensure that AdminO1 can configure Server1 as an enterprise C 

A. The solution must use the principle of least privilege. 

To which group should you add Admin01? 

A. Server Operators in the contoso.com domain 

B. Cert Publishers on Server1 

C. Enterprise Key Admins in the contoso.com domain 

D. Enterprise Admins in the contoso.com domain. 


Answer: D 


Question: 17 


Your network contains an enterprise root certification authority (CA) named CA1. 

Multiple computers on the network successfully enroll for certificates that will expire in one year. The 
certificates are based on a template named Secure_Computer. The template uses schema version 2. 
You need to ensure that new certificates based on Secure_Computer are valid for three years. 

What should you do? 


A. Modify the Validity period for the certificate template. 

B. Instruct users to request certificates by running the certregq.exe command. 
C. Instruct users to request certificates by using the Certificates console. 

D. Modify the Validity period for the root CA certificate. 


Answer: A 


Question: 8 


You deploy a new enterprise certification authority (CA) named CA1. 

You plan to issue certificates based on the User certificate template. 

You need to ensure that the issued certificates are valid for two years and support autoenrollment. 
What should you do first? 


A. Run the certutil.exe command and specify the resubmit parameter. 


B. Duplicate the User certificate template. 
C. Add a new certificate template for CA1 to issue. 
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D. Modify the Request Handling settings for the CA. 


Answer: B 


Explanation: 

The built-in templates to do support allow auto-enrollment. You need to duplicate the template then 
modify the permissions on the new template. 

Explanation: 

References: https://docs.centrify.com/en/centrify/adminref/index#page/cloudhelp/cloud- 


admin-install-create-cert-templates 


Question: 9 


Your network contains an Active Directory forest named contoso.com. The forest contains three 
domains named contoso.com, corp.contoso.com, and ext.contoso.com. The forest contains three 
Active Directory sites named Site1, Site2, and Site3. 

You have the three administrators as described in the following table. 


You create a Group Policy object (GPO) named GPO1. 
Which administrator or administrators can link GPO1 to Site2? 


A. Admini and Admin2 only 

B. Admini, Admin2, and Admin3 
C. Admin3 only 

D. Admini and Admin3 only 


Answer: D 


Explanation: 

Explanation: 

References: 
https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx 


Question: 10 


HOTSPOT 

Note: This question is part of a series of questions that use the same scenario. For you convenience, 
the scenario is repeated in each question. Each question presents a different goal and answer 
choices, but the text of the scenario is exactly the same in each question in this series. 

Start of repeated scenario. 
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You work for a company named Contoso, Ltd. 

The network contains an Active Directory forest named contoso.com. A forest trust exists between 
contoso.com and an Active Directory forest named adatum.com. 

The contoso.com forest contains the objects configured as shown in the following table. 


Object ame 
Userl Not applicable Not applicable 
Computer] Not applicable Not applicable 
= 


Group1 and Group2 contain only user accounts. 

Contoso hires a new remote user named User3. User3 will work from home and will use a computer 
named Computer3 that runs Windows 10. Computer3 is currently in a workgroup. 

An administrator named Admin1 is a member of the Domain Admins group in the contoso.com 
domain. 

From Active Directory Users and Computers, you create an organizational unit (OU) named OU1 in 
the contoso.com domain, and then you create a contact named Contact1 in OU1. 

An administrator of the adatum.com domain runs the Set-ADUser cmdlet to configure a user named 
User1 to have a user logon name of User1@litwareinc.com. 

End or repeated scenario. 

You need to join Computer3 to the contoso.com domain by using offline domain join. 

Which command should you use in the contoso.com domain and on Computer3? To answer, select 
the appropriate options in the answer area. 
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Answer Area 


The contoso.com domain: v 
Add-Computer with the-DomainName parameter 
Djoin.exe with the /provision parameter 
Djoin.exe with the /requestodj parameter 
Net computer with the /add parameter 
Netdom.exe with the join parameter 


Computer3: v 
Add-Computer with the-DomainN ame parameter 
Djoin.exe with the /provision parameter 
Djoin.exe with the /requestodj parameter 
Net computer with the /add parameter 
Netdom.exe with the join parameter 


Answer: 


Answer Area 


The contoso.com domain: v 
Add-Computer with the-DomainName parameter 
Djoin.exe with the ‘requestodj parameter 
Net computer with the /add parameter 
Netdom.exe with the join parameter 


Computer3: v 
Add-Computer with the-DomainName parameter 
Djoin.exe with the /provision parameter 
Net computer with the /add parameter 


Netdom.exe with the join parameter 
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